ecp_internal_alt.h (10786B)
1 /** 2 * \file ecp_internal_alt.h 3 * 4 * \brief Function declarations for alternative implementation of elliptic curve 5 * point arithmetic. 6 */ 7 /* 8 * Copyright The Mbed TLS Contributors 9 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 10 */ 11 12 /* 13 * References: 14 * 15 * [1] BERNSTEIN, Daniel J. Curve25519: new Diffie-Hellman speed records. 16 * <http://cr.yp.to/ecdh/curve25519-20060209.pdf> 17 * 18 * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis 19 * for elliptic curve cryptosystems. In : Cryptographic Hardware and 20 * Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302. 21 * <http://link.springer.com/chapter/10.1007/3-540-48059-5_25> 22 * 23 * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to 24 * render ECC resistant against Side Channel Attacks. IACR Cryptology 25 * ePrint Archive, 2004, vol. 2004, p. 342. 26 * <http://eprint.iacr.org/2004/342.pdf> 27 * 28 * [4] Certicom Research. SEC 2: Recommended Elliptic Curve Domain Parameters. 29 * <http://www.secg.org/sec2-v2.pdf> 30 * 31 * [5] HANKERSON, Darrel, MENEZES, Alfred J., VANSTONE, Scott. Guide to Elliptic 32 * Curve Cryptography. 33 * 34 * [6] Digital Signature Standard (DSS), FIPS 186-4. 35 * <http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf> 36 * 37 * [7] Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer 38 * Security (TLS), RFC 4492. 39 * <https://tools.ietf.org/search/rfc4492> 40 * 41 * [8] <http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html> 42 * 43 * [9] COHEN, Henri. A Course in Computational Algebraic Number Theory. 44 * Springer Science & Business Media, 1 Aug 2000 45 */ 46 47 #ifndef MBEDTLS_ECP_INTERNAL_H 48 #define MBEDTLS_ECP_INTERNAL_H 49 50 #include "mbedtls/build_info.h" 51 52 #if defined(MBEDTLS_ECP_INTERNAL_ALT) 53 54 /** 55 * \brief Indicate if the Elliptic Curve Point module extension can 56 * handle the group. 57 * 58 * \param grp The pointer to the elliptic curve group that will be the 59 * basis of the cryptographic computations. 60 * 61 * \return Non-zero if successful. 62 */ 63 unsigned char mbedtls_internal_ecp_grp_capable(const mbedtls_ecp_group *grp); 64 65 /** 66 * \brief Initialise the Elliptic Curve Point module extension. 67 * 68 * If mbedtls_internal_ecp_grp_capable returns true for a 69 * group, this function has to be able to initialise the 70 * module for it. 71 * 72 * This module can be a driver to a crypto hardware 73 * accelerator, for which this could be an initialise function. 74 * 75 * \param grp The pointer to the group the module needs to be 76 * initialised for. 77 * 78 * \return 0 if successful. 79 */ 80 int mbedtls_internal_ecp_init(const mbedtls_ecp_group *grp); 81 82 /** 83 * \brief Frees and deallocates the Elliptic Curve Point module 84 * extension. 85 * 86 * \param grp The pointer to the group the module was initialised for. 87 */ 88 void mbedtls_internal_ecp_free(const mbedtls_ecp_group *grp); 89 90 #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED) 91 92 #if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) 93 /** 94 * \brief Randomize jacobian coordinates: 95 * (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l. 96 * 97 * \param grp Pointer to the group representing the curve. 98 * 99 * \param pt The point on the curve to be randomised, given with Jacobian 100 * coordinates. 101 * 102 * \param f_rng A function pointer to the random number generator. 103 * 104 * \param p_rng A pointer to the random number generator state. 105 * 106 * \return 0 if successful. 107 */ 108 int mbedtls_internal_ecp_randomize_jac(const mbedtls_ecp_group *grp, 109 mbedtls_ecp_point *pt, int (*f_rng)(void *, 110 unsigned char *, 111 size_t), 112 void *p_rng); 113 #endif 114 115 #if defined(MBEDTLS_ECP_ADD_MIXED_ALT) 116 /** 117 * \brief Addition: R = P + Q, mixed affine-Jacobian coordinates. 118 * 119 * The coordinates of Q must be normalized (= affine), 120 * but those of P don't need to. R is not normalized. 121 * 122 * This function is used only as a subrutine of 123 * ecp_mul_comb(). 124 * 125 * Special cases: (1) P or Q is zero, (2) R is zero, 126 * (3) P == Q. 127 * None of these cases can happen as intermediate step in 128 * ecp_mul_comb(): 129 * - at each step, P, Q and R are multiples of the base 130 * point, the factor being less than its order, so none of 131 * them is zero; 132 * - Q is an odd multiple of the base point, P an even 133 * multiple, due to the choice of precomputed points in the 134 * modified comb method. 135 * So branches for these cases do not leak secret information. 136 * 137 * We accept Q->Z being unset (saving memory in tables) as 138 * meaning 1. 139 * 140 * Cost in field operations if done by [5] 3.22: 141 * 1A := 8M + 3S 142 * 143 * \param grp Pointer to the group representing the curve. 144 * 145 * \param R Pointer to a point structure to hold the result. 146 * 147 * \param P Pointer to the first summand, given with Jacobian 148 * coordinates 149 * 150 * \param Q Pointer to the second summand, given with affine 151 * coordinates. 152 * 153 * \return 0 if successful. 154 */ 155 int mbedtls_internal_ecp_add_mixed(const mbedtls_ecp_group *grp, 156 mbedtls_ecp_point *R, const mbedtls_ecp_point *P, 157 const mbedtls_ecp_point *Q); 158 #endif 159 160 /** 161 * \brief Point doubling R = 2 P, Jacobian coordinates. 162 * 163 * Cost: 1D := 3M + 4S (A == 0) 164 * 4M + 4S (A == -3) 165 * 3M + 6S + 1a otherwise 166 * when the implementation is based on the "dbl-1998-cmo-2" 167 * doubling formulas in [8] and standard optimizations are 168 * applied when curve parameter A is one of { 0, -3 }. 169 * 170 * \param grp Pointer to the group representing the curve. 171 * 172 * \param R Pointer to a point structure to hold the result. 173 * 174 * \param P Pointer to the point that has to be doubled, given with 175 * Jacobian coordinates. 176 * 177 * \return 0 if successful. 178 */ 179 #if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) 180 int mbedtls_internal_ecp_double_jac(const mbedtls_ecp_group *grp, 181 mbedtls_ecp_point *R, const mbedtls_ecp_point *P); 182 #endif 183 184 /** 185 * \brief Normalize jacobian coordinates of an array of (pointers to) 186 * points. 187 * 188 * Using Montgomery's trick to perform only one inversion mod P 189 * the cost is: 190 * 1N(t) := 1I + (6t - 3)M + 1S 191 * (See for example Algorithm 10.3.4. in [9]) 192 * 193 * This function is used only as a subrutine of 194 * ecp_mul_comb(). 195 * 196 * Warning: fails (returning an error) if one of the points is 197 * zero! 198 * This should never happen, see choice of w in ecp_mul_comb(). 199 * 200 * \param grp Pointer to the group representing the curve. 201 * 202 * \param T Array of pointers to the points to normalise. 203 * 204 * \param t_len Number of elements in the array. 205 * 206 * \return 0 if successful, 207 * an error if one of the points is zero. 208 */ 209 #if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) 210 int mbedtls_internal_ecp_normalize_jac_many(const mbedtls_ecp_group *grp, 211 mbedtls_ecp_point *T[], size_t t_len); 212 #endif 213 214 /** 215 * \brief Normalize jacobian coordinates so that Z == 0 || Z == 1. 216 * 217 * Cost in field operations if done by [5] 3.2.1: 218 * 1N := 1I + 3M + 1S 219 * 220 * \param grp Pointer to the group representing the curve. 221 * 222 * \param pt pointer to the point to be normalised. This is an 223 * input/output parameter. 224 * 225 * \return 0 if successful. 226 */ 227 #if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) 228 int mbedtls_internal_ecp_normalize_jac(const mbedtls_ecp_group *grp, 229 mbedtls_ecp_point *pt); 230 #endif 231 232 #endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */ 233 234 #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED) 235 236 #if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) 237 int mbedtls_internal_ecp_double_add_mxz(const mbedtls_ecp_group *grp, 238 mbedtls_ecp_point *R, 239 mbedtls_ecp_point *S, 240 const mbedtls_ecp_point *P, 241 const mbedtls_ecp_point *Q, 242 const mbedtls_mpi *d); 243 #endif 244 245 /** 246 * \brief Randomize projective x/z coordinates: 247 * (X, Z) -> (l X, l Z) for random l 248 * 249 * \param grp pointer to the group representing the curve 250 * 251 * \param P the point on the curve to be randomised given with 252 * projective coordinates. This is an input/output parameter. 253 * 254 * \param f_rng a function pointer to the random number generator 255 * 256 * \param p_rng a pointer to the random number generator state 257 * 258 * \return 0 if successful 259 */ 260 #if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) 261 int mbedtls_internal_ecp_randomize_mxz(const mbedtls_ecp_group *grp, 262 mbedtls_ecp_point *P, int (*f_rng)(void *, 263 unsigned char *, 264 size_t), 265 void *p_rng); 266 #endif 267 268 /** 269 * \brief Normalize Montgomery x/z coordinates: X = X/Z, Z = 1. 270 * 271 * \param grp pointer to the group representing the curve 272 * 273 * \param P pointer to the point to be normalised. This is an 274 * input/output parameter. 275 * 276 * \return 0 if successful 277 */ 278 #if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) 279 int mbedtls_internal_ecp_normalize_mxz(const mbedtls_ecp_group *grp, 280 mbedtls_ecp_point *P); 281 #endif 282 283 #endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */ 284 285 #endif /* MBEDTLS_ECP_INTERNAL_ALT */ 286 287 #endif /* ecp_internal_alt.h */